General

  • Target

    your-file_iFMs6qyg.zip

  • Size

    10.0MB

  • Sample

    230331-vf1pmsdb6y

  • MD5

    b67d5b17146799e13c150543d3f45df9

  • SHA1

    c2054d40e0934ea16970412292131a67adf19b57

  • SHA256

    d8d40e68b4b4d5c40807b0d0a2f39906595803eec3b1becbb4419081fbf0efd0

  • SHA512

    16646402848907bb92f283ac82b4f15ea1840f760245c0d399cb1ade5b44b09e7868c1317c0ff7959ba3abaff501cdec7f7bf6b4d8626742f56ebaa101773925

  • SSDEEP

    196608:pKM5aUpAI6rSLKSu9gqUd09yHwP9tdjhyrnhxQ8jdIRkrBHU4moWb5I:gWP8eBuCHI9tdjhenhxdjdIRIdqoWb5I

Malware Config

Extracted

Family

gcleaner

C2

85.31.45.39

85.31.45.250

85.31.45.251

85.31.45.88

Targets

    • Target

      .............exe

    • Size

      5.8MB

    • MD5

      288d7d66024b6562feeb4d6baed41849

    • SHA1

      cb9efb823a462d1afc8057839fecd224d661102a

    • SHA256

      7dfffd124e41f73e266f806951457060dfff9950caca0fcd1c542ff5e9a21e34

    • SHA512

      1793b4c153f4277d65cf99b2758c586f4a59234760916280deab35ae69bd48b3584ba76474243ac67efb98c052b4e9a184c16b93b10ea92292eac46224cf334a

    • SSDEEP

      98304:LX44Xe8aIUM7LhfXMObVARKlsZjLusEBHYCzg1OnW/T+1zS2owMVMowF:7VXeNIUuWObuRKIu5Y0CozSnw7bF

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      your-file_iFMs6qyg.exe

    • Size

      4.7MB

    • MD5

      e97d32814a26065eab7a2ec822333504

    • SHA1

      a17b566e1e8124820954489e1e3ba3135f2017cc

    • SHA256

      486bdb6d9d9697bed6d19b91b5b130e70aa02814d98062748ea46312f5a3e446

    • SHA512

      18739d0e382a86db4ca9274884ea350259e04ffe104ca68db79d25b33a14896621194082c350196e0733dc6f64e2b7fce9283d89823a56a758006a102bf7f62d

    • SSDEEP

      98304:XBdZ++DNoLX/xD8q6TbB8imPIpg/iMDC/mNTTgBOECkycN8YHDHjj88Q:xdzNy/xDxw8pPInMxNTUMFc+YHFQ

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Modifies Windows Defender Real-time Protection settings

    • Windows security bypass

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Security Software Discovery

1
T1063

Collection

Data from Local System

1
T1005

Tasks